6.4.3 Detection and Authorization of Dual-Use Capability at Inference Time
Original Problem in the Paper
Motivation: if assessments flag dual-use domain competence, providers may need to avoid public default exposure while preserving legitimate uses, such as cybersecurity professionals identifying and patching vulnerabilities. Open problems: detect requests for dual-use capabilities, distinguish legitimate from malicious requests, and require authentication or authorization before access, such as certified expert, red-teamer, or researcher status. The paper treated proof-of-concept authorization schemes as future work rather than deployed practice.
July 2026 Update & Trajectory
Dual-use gating has moved from hypothetical proposals to narrow provider-described programs and safeguards. Anthropic’s RSP materials describe ASL-3 safeguards with classifier guards, trusted-user access controls or exemptions, red-teaming, bug bounties, threat intelligence, and security controls; its 2024 ASL-3 planning discussion also described a defense-in-depth design with real-time and asynchronous classifier layers. OpenAI’s Feb. 5, 2026 Trusted Access for Cyber announcement and Cybersecurity Grant Program update describe an identity/trust-based cyber access pilot, classifier-based monitoring for suspicious cyber activity, and $10M in API credits for defensive deployment. Reliable intent classification remains unverified in the public materials reviewed here: OpenAI says it can be difficult to tell whether a cyber action is defensive or harmful, and NIST describes AI measurement and safety science as generally immature. The sources reviewed here support narrow, domain/provider-specific access-gating and monitoring programs, not a general inference-time authorization standard.
Deployed / Operationalized
- Provider-described tiered or trusted access exists in narrow contexts: Anthropic describes trusted-user access controls/exemptions for ASL-3 protections and earlier planned enhanced due diligence for partners based on trustworthiness and beneficial use-case; OpenAI describes identity/trust-based Trusted Access for Cyber for users, enterprises, and invite-only defensive researchers or teams.
- Public evidence supports narrower classifier/monitoring deployments or plans: Anthropic describes chemical/biological classifier guards in ASL-3 protections and earlier planned real-time/asynchronous classifier layers; OpenAI describes automated classifier-based monitors for suspicious cyber activity in its Trusted Access for Cyber pilot.
- OpenAI describes Trusted Access for Cyber as an identity/trust-based pilot for defensive cyber work and says its Cybersecurity Grant Program commits $10M in API credits for defensive cyber deployment; the grant page says offensive-security projects are not considered for funding.
New Tractable Vectors
- Route detected dual-use requests into authorization workflows where a provider has a vetted access path, rather than relying only on blanket refusal.
- Develop domain-specific gating stacks—such as cyber suspicious-activity monitors and chemical/biological classifier guards—paired with identity verification, organizational vetting where appropriate, logging, and revocable access.
- Offer researcher, red-team, or defensive-user modes with compensating controls, usage-policy obligations, monitoring, and access revocation.
Key Open Questions
- Distinguishing malicious intent from legitimate dual-use work under ambiguity, roleplay, jailbreaks, and staged multi-turn requests.
- Privacy-preserving credential and authorization schemes for sensitive occupations or researchers across jurisdictions.
- Preventing authorized users from laundering capabilities to unauthorized users or automating harmful workflows outside the stated defensive or research purpose.
- Independently evaluating whether provider-described classifier guards and monitoring systems work with acceptable false-positive and false-negative rates in real deployment contexts.
Evidence & Primary Sources
- The original paper’s Section 6.4.3 frames the problem as avoiding public default exposure of dual-use capabilities while preserving legitimate uses such as cybersecurity professionals identifying and patching vulnerabilities; it identifies detection of dual-use requests, legitimate-versus-malicious classification, and authentication/authorization for experts as open problems, and treats authorization schemes as hypothetical future work. (2024-07-20): https://arxiv.org/abs/2407.14981
- Anthropic’s Responsible Scaling Policy page lists RSP version 3.3 as effective/last updated May 26, 2026. The page’s Oct. 15, 2024 “Planned ASL-3 Safeguards” discussion describes planned deployment safeguards including access controls tailored to deployment context/user groups, enhanced due diligence based on trustworthiness and beneficial use-case, real-time prompt/completion classifiers, asynchronous monitoring classifiers, and post-hoc jailbreak detection. (2026-05-26 page; 2024-10-15 planning section): https://www.anthropic.com/responsible-scaling-policy
- Anthropic’s Frontier Safety Roadmap says current ASL-3 protections include safeguards at least as robust as Constitutional Classifiers, access controls for trusted users with exemptions to classifier guards, red-teaming, bug bounties, threat intelligence, and security controls; it ties current classifier-guard red-teaming to chemical and biological weapons and describes a goal for automated investigation of sophisticated cyber attacks using Claude. (2026 roadmap page): https://www.anthropic.com/responsible-scaling-policy/roadmap
- OpenAI’s Trusted Access for Cyber announcement says OpenAI is piloting an identity- and trust-based framework for potentially high-risk cybersecurity work; users can verify identity, enterprises can request trusted access for teams, researchers/teams can express interest in an invite-only program, automated classifier-based monitors will detect potential signals of suspicious cyber activity, trusted users remain bound by Usage Policies and Terms, and OpenAI commits $10M in API credits for cyber defense. (2026-02-05): https://openai.com/index/trusted-access-for-cyber/
- OpenAI’s Cybersecurity Grant Program page says its Feb. 5, 2026 update introduced Trusted Access for Cyber and committed $10M in API credits, focusing the program on large-scale deployment of models to accelerate cyber defense; it gives strong preference to defensive cybersecurity applications and says offensive-security projects will not be considered for funding. (2026-02-05 update on 2023-06-01 page): https://openai.com/index/openai-cybersecurity-grant-program/
- NIST AI 600-1 treats CBRN information/capabilities and information security as GAI risks; it recommends ongoing assessment and monitoring, evaluation of safety measures before deployment and on an ongoing basis, safety-guardrail review, adversarial testing, and attention to GAI systems’ connection or access to relevant data and tools. It is voluntary profile guidance and does not prescribe a specific dual-use authorization scheme. (approved 2024-07-25): https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
- OWASP’s GenAI Security Project/LLM Top 10 documents deployment-relevant LLM application risks including prompt injection, sensitive information disclosure, and model theft; this is supporting context for deployment safeguards, not direct evidence for dual-use authorization. (2025 project page): https://owasp.org/www-project-top-10-for-large-language-model-applications/